MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463
SHA3-384 hash:	4f0180dcd5d0fb579b047377a7a44233b7263831dc6db7d6fbcc0485b972a67efe3d7b5a01b73e6e34665b815b6836f5
SHA1 hash:	9a0d0922a41a9d55ace2c7024cd4bfdae88c42b1
MD5 hash:	0de90c36257d7e8bc7d0f45b31a13147
humanhash:	east-michigan-ohio-mars
File name:	INVOICE SWIFT COPY.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	704'000 bytes
First seen:	2023-05-19 06:58:42 UTC
Last seen:	2023-05-20 15:05:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:DqB2mz80g6eLY1YHk/vfLtDguNsT0q4jvrGyrZcq54mKqjE:DqlgDc6SDxguuoq6zGyh54mj
Threatray	1'469 similar samples on MalwareBazaar
TLSH	T1B3E4D01423E49B46E1BA87F45CE0D2B05BB69D9AB036C21B0ED6FCDB31A9F610750A17
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	cocaman
Tags:	AgentTesla exe INVOICE

Intelligence

File Origin

# of uploads :

# of downloads :

254

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

INVOICE SWIFT COPY (002).zip

Verdict:

Malicious activity

Analysis date:

2023-05-19 06:48:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d9514eb3-78e0-45fd-917d-4daee07e5f5c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILMamut.10688.26493.32083.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin packed

Link:

https://www.filescan.io/uploads/64671e37252ac092ee21cb7a/reports/e62b83d3-a3fe-483e-8070-5297fb613b24/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILMamut

Link:

https://www.hybrid-analysis.com/sample/9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/f7c2cd04-4a2a-4df9-baea-fa2faefd774e

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1236891

Signature

Adds a directory exclusion to Windows Defender

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-18 08:26:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=trcnlmymt3a5lmldyit3mw2ua4ozb4ozk2nnqe6jk6st3ol4errq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

392f81419000cc840371e050cea8f8bc182353ee9dafa2efd158a75a54886e62

AgentTesla

7149bce0cf55829579b5e141f8c270f9d9c6f152e37a02695f64f5d6adfa4381

AgentTesla

ad06dd86354aa9e61e6de1aabf9efa7539fb13edb2e23e1eb63b86d59203e55f

AgentTesla

b3303273446384f72e2a0f90c455f69598f341164c2bcfded2cf95b30e3a9295

AgentTesla

cdd93cdf75bd61ac9b31635647f23d4e7c58aa1d6c82568b3f8036b6f44aa222

AgentTesla

d89787191bcbb0685fe37fb26409367f1b00a23e4f578081785f7dba7aa2a9ce

AgentTesla

e3e6d851f1598eb145492e46d7431f72436178f1a60ebc4d6742839e12d52200

AgentTesla

f0f7717c93fa1fc099bb73da00989d8e75f24047779c1c54e74db9c21db6b3d8

AgentTesla

+ 1'459 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/230519-hr3bdsff39/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

98038b763950f8de3efffa83da020669fbd376492deb24c75b25bbd4a1c2ce07

MD5 hash:

aa445eee133a93b202ea105e5de4e232

SHA1 hash:

c0968cfa259d38fb80af27465c314ba889b08296

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/da456267-99ef-442e-8ba6-e79f209e481f/

Parent samples :

baaba65de7ee0a52274e439f9cfc6e1ad5e55f74dc43644c33c27863c99f9c4e
3c3e9ce2a4c9d2022601a66e6753d37cf92ae3940e87e62b46999eb4411264f8
3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b
91cdc121ddcc77ba9e01963b2ff1a92192cd4a7804915a67b598f69d457160b3
9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463
47438e1a176f18053c6a9de8c2834a3d5ffeb78bb7efa09c6dea99aa7da44991
a357b85560b1159abbca744e8226315663cfa2d3778046eaedfe82dc293446e5
16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e
fe304cb0925bffe7c7314fb8c4bc50c15b82e49c81fe176c8482ea1ed6f51bc8
b5b3f18d4a9208ec2a9b1b8e1d1e1e8dfa6f6b749223fcb021839038d015d92f
892887bf977985a7b3c64ac19d31facf3af7e783b25173665c8cc48d804cca45
9cd47c4593254f37eb5bef6b0d887f7132ce6d9678af33799da736d6073382fa
65cea55d24d19444f39704ab0836a07e7e89a99b244abfad347516b14f58af0b
12d37f94ebe64d74e7cc1a4290af6797832b512a223d03d410171f47cd979065
cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef
cc1214e080d2525cf0b00c622186d0f78a228d3f6dc933cad0f0114d505a73f7
e5dbce139ab26dc9f743ca4161894d49adddd7c9bd0f1ac4adf4177aec479b69
0501f9ee9fe9f858c159e067280b30badb60ce0e430abb1e60b3581edd8a971b
0725b0bb5b536502fd3a4593864bbf3b25dcacc3b3259162080909284c1348de
b79d3384f353bf024148b984f6d96e272c30b7547a00fb5d6f05524dbcc435a8
dc0e2395ee3f6a75876ca8cb0b8a876ac8494dc0d317a432ea5d1ba758296063
b1dd2f23a4e0925adcfe19c55bf701af33e6d3d66f3fd1537d30ea7ceddee9a4
cabf5777651e17c1d64384cefbf5f7ce2fc7abedff68901c96174dd16612caf1
f25d6018d3bab1f7651937b7b8e618979ea3c45b06e42e3d93e8b59cac9d46c3
be9496d0210e6343ea547889586015ab09bd8d25061f154a3f9f0922ea5a61de
37a72a158a2325b4967c6b2a9835fa722b6ca3789316c6120d3f263bfb6c15e7
26a294c50930c0cd9fbed08dd7fb63ea59bd2300eed46c452de0b4c5f7b95309
0828689925ecabda99bd3939a58b034387e6cd4c153c7652a0450d93010ccae3
0c250b21da631c5356630ff3d17f09a6da38a4c619f534b8f0be9d360707c9d4
83b11e62d88278fd953ef2496d6e6217d314defc55f7ba1fbb4d0a00ec6651b2
fb1c133bb4d681619adff92051b62f07da505ca6f15906b4fbb125bd65b1f190
9e2f5bad6acb0454f71026526cb9d5d78985ef6e566b433b04ba7aba5b277ddb
4316bebd7893238fab61d5cc2a4bdca1d65ad8f631347c949485b0c3a3b1353b
e2811e462b73fc7c62941b8472d9989a048509e8e6aed7012bc5f786d0f7bbe7
90d63293d26ff8d79d3cb130d63e4d69646527a8c61ea5308288980fcfd5189d
cbc632ae3dd2c72c24bd2b4ab8e53ff56aa2e742911ec9512432f0788b104e3c
93184419005707ae02f08ee38bf8381c4a87fc14a9715fb660ad48f6e1665f98
174e2237b3157582189f15393ba0a1771ac0fb62fb479690b46de1b61071b491
244ca73815a8c8303d9738bf0dd0fb859736fc69ea5103329ba2f6be2f9637eb
8c72d6594c46c605916cf3456b84810a1982c7f62f9c66d7eeb12bd0da0e82d0
e0a14b9acddbf73d270c2eabf671ce58e1c2aaa237ccf2de320efedc947b6ccc
69e82246e2a2444321ad9c8c84a445b8ec6b18702c2407565cae60e07b3823ef
4fb354ecdf9b230311b7b6bc60b1016f5f17653a1653e1c6fa1fbbbc92a08a30
e4319322a73a875512b80a2cc5bebf8c963f3e657258a6e7afd90919c8553fdf
40b4f0f7a724e1dc0abb235b73cbd1b50defaf387fb18b5535197607311056d2
a988d3605915b2f831729ebcde7d9ef7d169a549f3d3b7b1de604a9c07abee14
a81e919be20c26807dc7d775ccdc026d4a9daf0116661dff5e3fbdaf29effe19
8dd68257e8d07b2e0d25da886cdb7cb487085b99a469984369d486812596ea12
26794f7598febe976fb23ad9abe87ca823f65730957ce7821ce5bc9e6dbfab92
d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774

SH256 hash:

1516a750790d9430b0d9ef710aea2a1297c8bcdbae22f1453e623c4be7b5f98f

MD5 hash:

f8b9df08dce0e4b01f9557e4ea217f91

SHA1 hash:

bca397877a238ebbcdcfde3ecff6bda5afd8f9cd

Link:

https://www.unpac.me/results/da456267-99ef-442e-8ba6-e79f209e481f/

SH256 hash:

2907ceb0aff33154a49177d6e04e822538f3fb439a55264cdf84b162564afea6

MD5 hash:

ae06e9b9c5d6df3bdb39fbbc75d9b9cd

SHA1 hash:

b03aff7dda4462819b1250e44d80c83aca37237f

Link:

https://www.unpac.me/results/da456267-99ef-442e-8ba6-e79f209e481f/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/da456267-99ef-442e-8ba6-e79f209e481f/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

41929cdbfca0d4ff9770b20c1fe90ded254b9662314b3382172483b8a3c30b35

MD5 hash:

6f1443378284f31c3209df5722cd2424

SHA1 hash:

472829d74707f15b5bec94f8b7b6bf44d04feb55

Link:

https://www.unpac.me/results/da456267-99ef-442e-8ba6-e79f209e481f/

SH256 hash:

9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463

MD5 hash:

0de90c36257d7e8bc7d0f45b31a13147

SHA1 hash:

9a0d0922a41a9d55ace2c7024cd4bfdae88c42b1

Link:

https://www.unpac.me/results/da456267-99ef-442e-8ba6-e79f209e481f/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9c44d5b30c9e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 97e8f682e55292ced96ad0b8ac320581950d2648e57d2b463470754fa0b98f73

AgentTesla

exe 9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463

(this sample)

Delivery method

Other

Dropped by

SHA256 97e8f682e55292ced96ad0b8ac320581950d2648e57d2b463470754fa0b98f73

Dropped by

MD5 f3b034889c7524d6f5636549af97962a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample